i bought a VPS to create an OpenVPN server. I got my Openvpn service up and running and i would like to ask for some help with the rest of the iptables please. Seems that i got a ton of port scanners and i do not know how to block them. I go the code from https://bash.cyberciti.biz/firewall/...dalone-server/
The thing is that the /Scripts/blockedips.txt does not contain anything. I would appreciate all the help available please.
here is my code:
Code:
#!/bin/bashIPT="/sbin/iptables"
SPAMLIST="blockedip"
SPAMDROPMSG="BLOCKED IP DROP"
echo "Starting IPv4 Wall..."
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
modprobe ip_conntrack
[ -f /atux/Scripts/blocked.ips.txt ] && BADIPS=$(egrep -v -E "^#|^$" /atux/Scripts/blocked.ips.txt)
PUB_IF="eth0"
#unlimited
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# DROP all incomming traffic
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
if [ -f /atux/Scripts/blocked.ips.txt ];
then
# create a new iptables list
$IPT -N $SPAMLIST
for ipblock in $BADIPS
do
$IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG"
$IPT -A $SPAMLIST -s $ipblock -j DROP
done
$IPT -I INPUT -j $SPAMLIST
$IPT -I OUTPUT -j $SPAMLIST
$IPT -I FORWARD -j $SPAMLIST
fi
# Block sync
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Sync"
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP
# Block Fragments
$IPT -A INPUT -i ${PUB_IF} -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets"
$IPT -A INPUT -i ${PUB_IF} -f -j DROP
# Block bad stuff
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# Allow full outgoing connection but no incomming stuff
$IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Allow ssh
$IPT -A INPUT -p tcp --destination-port 55522 -j ACCEPT
# allow incomming ICMP ping pong stuff
$IPT -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow port 53 tcp/udp (DNS Server)
$IPT -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp --destination-port 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Open port 80
#$IPT -A INPUT -p tcp --destination-port 80 -j ACCEPT
##### Add your rules below ######
# 1194 OpenVPN
$IPT -A INPUT -m state --state NEW -m udp -p udp --dport 1194 -j ACCEPT
#################################################
# enable NAT
#################################################
sysctl -w net.ipv4.ip_forward=1
$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#################################################
#OpenVpn_NAT. Allows connected devices to access Internet
#showing the VPSs IP
#################################################
$IPT -A POSTROUTING -s 172.16.1.0/24 -j tun0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
#iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
$IPT -I INPUT -i tun0 -j ACCEPT
$IPT -I FORWARD -i tun0 -j ACCEPT
$IPT -I FORWARD -o tun0 -j ACCEPT
$IPT -I OUTPUT -o tun0 -j ACCEPT
$IPT -I INPUT -t filter -p udp --dport 1723 -j ACCEPT
$IPT -A POSTROUTING -t nat -s 172.16.1.0/24 -j SNAT --to eth0
echo -e "allow openvpn connections\n"
#################################################
# ssh protection
#################################################
$IPT -N ATTACKED
$IPT -N ATTK_CHECK
$IPT -A INPUT -p tcp -m tcp --dport 55522 -m recent --update --seconds 86400 --name BANNED --rsource -j DROP
$IPT -A ATTACKED -m recent --update --seconds 600 --hitcount 3 -j LOG --log-prefix "IPTABLES (Rule ATTACKED): " --log-level 7
$IPT -A ATTACKED -m recent --set --name BANNED --rsource -j DROP
$IPT -A ATTK_CHECK -m recent --set --name ATTK --rsource
$IPT -A ATTK_CHECK -m recent --update --seconds 600 --hitcount 3 --name ATTK --rsource -j ATTACKED
$IPT -A ATTK_CHECK -j ACCEPT
##### END your rules ############
# Do not log smb/windows sharing packets - too much logging
$IPT -A INPUT -p tcp -i eth0 --dport 137:139 -j REJECT
$IPT -A INPUT -p udp -i eth0 --dport 137:139 -j REJECT
# log everything else and drop
$IPT -A INPUT -j LOG
$IPT -A FORWARD -j LOG
$IPT -A INPUT -j DROP
exit 0
Bookmarks